Adding a JSON file for domain verification - azure

I am trying to verify my domain through Azure using this Article. However, it keeps saying it cannot verify. I think maybe it's because I am assuming just putting it in my wwwroot is sufficient, but I don't know what else I need to do to have https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json open the file itself for verification.
Verification of publisher domain failed. Unable to connect to https://mydomain/.well-known/microsoft-identity-association. [uFNK6]

Many people have faced this issue, you could have a look at this1 and this2 on Github. You may get one-time free support ticket for this issue via
You could send an email to AzCommunity[at]microsoft[dot]com with a
reference to this thread and also your Azure Subscription GUID.
As a workaround, you could add your custom domain to Azure AD. Then verify your custom domain name. After verifying your domain, you could directly select a verified domain or verify a new domain in the Publisher Domain panel without host the file at https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json.
Hope this could help you.

I solved this problem by adding a web.config file to the .well-known folder to remove charset=utf8 from the Content-Type response. This appears to be necessary.
Beofre you start you can check with Curl from a PowerShell instance to see if the Content-Type being returned includes the charset and therefore is the source of your problem.
C:> curl https://www.whateveryourdomainis.org/.well-known/microsoft-identity-association.json
The web.config file contents is as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<clear />
<add name="MicrosoftIdentityAssociation" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />
</handlers>
<staticContent>
<remove fileExtension=".json" />
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
You need to be aware that this will modify the child folders too and so if you have other sub-folders you may have to take remedial action ie another web.config file putting it back. However, it may be that once you have verified the site, the verification code can be deleted. See [https://learn.microsoft.com/en-us/answers/questions/37272/should-we-continue-to-host-microsoft-identity-asso.html][2]

Related

IIS Authorization Rules multiple Groups levels web.config

I am currently using the following in my IIS 10 web.config to limit access to my website.
We have planed to add another group here to give access to some parts of the website to other users.
My questions is what is best approach here?
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="WebSuperUsers" />
</authorization>
</security>
New group needs to have access to index file in root and some other pages located under different folders.

IIS Server: Restrict users to access files of server

I have one server, which allows users to host their web app free of cost.
In server I have 4 different pools.
2 pools are for .Net Framework,
1 pool is for .Net MVC,
1 pool is for .Net Core 3.1
Each pools has 50+ appliations.
For security testing I have created one program, Which takes fullpath/location of file and read that file form IIS server. If any user upload that type of code in my server then they can assess any files.
Now, that is the issue with my server.
Now, I want to do, My users can access only their application resources not other's too.
But, I don't know how to do this.
In order to restrict users to access files in IIS, we could refer to the below configuration in root web.config file.
<location path="myfolder">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<!--for authentication, we should enable either windows authentication or form authentication in IIS authentication module.-->
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
It will restrict everything under Myfolder. In particular, rule out a specific file.
<location path="my.jpg">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
Feel free to let me know if there is anything I can help with.

IIS 10 .Net Authorization woes with AD groups

I'm trying to secure a simple ASP.net website hosted on an internal IIS10 instance so that only a specific AD group can access it.
All my testing (and the final usage) would be internal to the same domain on which the IIS server resides - no external or cross-domain usage will occur.
Within Site Authentication I only have Windows Authentication enabled with a HTTP 401 Challenge response type. Enabled providers are Negotiate and NTLM (in that order), Extended Protection is Off and Kernel-mode authentication is enabled
In .NET Authorisation Rules I have no explicit Deny Rules.
If I add a 'Specified users' Allow Rule for my user account (and thus the user for which I'm testing access to the website) then I am able to access the website. At this point the relevant area of the web.config file looks like this:
<authorization>
<allow users="MYDOMAIN\MYUSERACCOUNT" />
</authorization>
If I remove that Allow Rule and add a 'Specified roles or user groups' Allow Row for an AD group for which my user account is a member of then I am unable to access the website and browsing to it prompts me for a Sign in dialog box which entering my AD credentials then gives a 401 error.
At this point the relevant area of the web.config file looks like this:
<authorization>
<allow roles="MYDOMAIN\AwesomeUsers" />
</authorization>
I've tried changing various Authentication settings (changing the order, disabling Kernel-mode authentication etc), adding the domain groups in the 'allow users' section in the Web.config but I just cant get AD group authentication working.
IIS isn't my strong point so would really appreciate any hints or tips I can try, Thanks! :)
try to use below code:
web.config:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\ADGROUP" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
applicationHost.config:
<configuration>
<location path="YOUR-APP">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>

IIS Client Certificate Mapping Rule not being respected

I am running IIS 8.5 on a Windows Server 2012 R2. I have configured a WebAPI (built on ASP.net) web site to use HTTPS (self-signed) with IIS Client Certificate Mapping for client certificate authentication. I am using the ManyToOneMapping where I have defined one local account to be associated to the client certificate with the incoming request. Furthermore, I have defined a Rule in the mapping so that if the "Subject" field in the certificate contains a certain string then it should allow the request.
Now, when I hit the url in the API application, Firefox prompts me to select the certificate to be used (as expected). And when i select one of the certificates that does not contain that string defined in the mapping Rule, the browser is still served with the resource. I was expected a forbidden response instead. So, it would appear that the Client Certificate mapping is not working as expected.
As I am new to IIS, I am wondering how I could go about to find out how to troubleshoot this situation. Thanks in advance.
Here is snippet from the applicationhost.config file:
<location path="SimpleApi" overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="false">
<manyToOneMappings>
<add name="Authorized Access" description="Some long description" userName="SomeUser" password="[enc:AesProvider:removed:enc]">
<rules>
<clear />
<add certificateField="Subject" certificateSubField="OU" matchCriteria="Admin" />
</rules>
</add>
</manyToOneMappings>
<oneToOneMappings />
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</location>
<location path="SimpleApi">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
</security>
</system.webServer>
</location>
The only possibility is you have other authentication mechanism enabled for your website and it is simply falling back to that authentication mechanism.
Check the Authentication module for your website in IIS and disable all other authentication mechanism.

Asp.net Core Web API - Current user & Windows Authentication

We have following technical stack in our application
AngularJS2
Asp.Net Core API
SQL Server
Now we need to store User Name for the Logged in User in table during Create/Edit for given item i.e. in Core API.
We have tried with
WindowsIdentity.GetCurrent().Name, it gives IIS APPPOOL\Asp.netCore
HttpContext.User.Identity gives null value
I get User Name with WindowsIdentity while working with Visual Studio, but with IIS, it gives value as Asp.Netcore i.e. pool name
Windows Authentication is enabled and Anonymous Authentication is disabled
Using IIS Version 6.1
Am I missing anything?
Do you have the forwardWindowsAuthToken set to true in the web.config?
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true"/>
I looked around and it was suggested to create Asp.Net Core WebApi application using Windows Authentication.
So when i created Asp.Net Core WebApi using Windows Authentication it worked and i got values in User.Identity objects.
So i created 2 applications i.e. one with Windows Authentication and one without, and then compared all files and found changes in following files
forwardWindowsAuthToken - true, this was tried before but issue was not solved and same was suggested by Daboul
launchSettings.json, Set windowsAuthentication: true & anonymousAuthentication: false
After doing this, I was able to values in User.Identity object.
The launchSettings.json file:
{
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": false
}
}
The Web.Config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore forwardWindowsAuthToken="true" processPath="C:\Program Files\dotnet\dotnet.exe" arguments=".\YourWebsite.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" />
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</configuration>
On Windows Server 2012 R2/IIS 8.0, even after setting forwardWindowsAuthToken=true in web.config, User.Identity.Name was not returning the user name but IIS APPPOOL so to resolve the issue I made below change;
Go to the web application in IIS
Open Configuration Editor
Change Section to system.webServer/serverRuntime
Change authenticatedUserOverride to UseAuthenticatedUser (for me it was set to UseWorkerProcessUser)
For further details refer to below link;
https://blogs.iis.net/jaroslad/what-does-the-authenticateduseroverrideuser-do

Resources